With evolving cross-border relations with the United States, many Canadian companies are broadening their view of international business. Although most of our clients are Canadian, we are currently enjoying working with a Europe-based organization. Here are few items we’ve learned to keep in mind when working with an overseas team. Most are common sense, but the upcoming General Data Protection Regulation (GDPR) is particularly worth considering when embarking on a European Union project.
Our client has team members across the world. Fortunately for us, they have addressed the potential language challenges by having English as their official working language. Even so, it is worth taking extra care when speaking and writing, to ensure clear understanding with those for whom English is not their first language.
With most of Europe 9 hours ahead of us in Vancouver, we plan meetings in our early morning.
While we do enough work in the United States to have a US bank account – which is readily available in Canadian banks – it is less straightforward to receive payment in other currencies. We arranged to be paid in Canadian dollars, while reporting on project status in Euros.
One of our tasks was to set the client up with the non-profit version Google’s G Suite. To do so, we needed to find our way though a few unfamiliar regulations and establish our eligibility. It is worth factoring in additional effort when dealing with foreign regulations.
The upcoming General Data Protection Regulation (GDPR) is the most significant novelty with the project. This European Parliament regulation is to take effect May 25, 2018, with the intent to strengthen data protection for individuals within the EU. It applies to any organization managing the personal data of an EU member, so the potential hefty fines could apply to non-EU organizations when working with European members’ data.
The regulation is focussed on effective data management policy, rather than technical compliance, and specifies that organizations must assign a Data Protection Officer to be accountable for compliance with the regulation. The GDPR requires transparent use of personal data, including clear consent – and easy withdrawal of consent – as well as clearly disclosed use of any collected personal data. The organization is required to provide persons with a copy of collected data on request, and to forget (completely erase) any personal data when requested. In addition, an organization is required to promptly inform affected persons of any breach of data, and notify others without delay.
The regulation does lean toward the technical side of data management by specifying that an organization must design for privacy by limiting access to personal data and only storing necessary data. In addition, the data must easily exported and read using a standard format.
While it is possible to see the GDPR as an onerous constraint to working on projects that collect and store personal data from EU members, I feel the regulations are aligned with best practices for data management. Those organizations who must undertake significant changes to comply will better serve the persons whose data they collect. We plan on referring to the GDPR, even when working with Canadian organizations.
For additional info, see http://www.eugdpr.org/